commit 04a847c73bfdba57ea47d5ebdc71ecbe743fe7a8 Author: Sven Velt Date: Tue Jan 23 22:45:00 2024 +0100 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bc4c0c1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,164 @@ +# ---> Ansible +*.retry + +# ---> Python +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# ---> Vim +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + diff --git a/README.md b/README.md new file mode 100644 index 0000000..4b555a0 --- /dev/null +++ b/README.md @@ -0,0 +1,39 @@ +deapparmor +========== + +Deactivate and uninstall AppArmor + +Requirements +------------ + +- None + +Role Variables +-------------- + +Defaults: +- `deapparmor_reboot`: False - Reboot machine if necessary + +Dependencies +------------ + +- None + +Example Playbook +---------------- + + - hosts: servers + roles: + - { role: deapparmor } + +License +------- + +AGPL3.0-or-later + +Author Information +------------------ + +- Sven Velt +- https://git.velt.biz/ + diff --git a/deapparmor.yml b/deapparmor.yml new file mode 100644 index 0000000..f824703 --- /dev/null +++ b/deapparmor.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + + roles: + - role: deapparmor + diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..d572ad6 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +--- +deapparmor_reboot: False + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..deecaa1 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,36 @@ +--- +- name: "[GRUB] update-grub" + listen: + - update-grub for DeAppArmor + ansible.builtin.command: + cmd: update-grub + ignore_errors: True + register: deapparmor_update_grub + + +- name: "[GRUB] Do NOT reboot machine" + listen: + - update-grub for DeAppArmor + set_fact: + deapparmor_reboot: False + when: deapparmor_update_grub is failed + + +- name: "[GRUB] Attention to update-grub" + listen: + - update-grub for DeAppArmor + pause: + prompt: "'update-grub' failed! Please check contents of /etc/default/grub" + minutes: 1 + when: deapparmor_update_grub is failed + + +- name: Reboot machine for DeAppArmor + ansible.builtin.reboot: + msg: Rebooting for changes taking effect + search_paths: + - /lib/molly-guard + - /usr/sbin + when: deapparmor_reboot == True + + diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..519b876 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,22 @@ +galaxy_info: + author: Sven Velt + description: Deinstall AppArmor + company: velt.biz + issue_tracker_url: https://git.velt.biz/Ansible/deapparmor/issues + license: AGPL-3.0-or-later + min_ansible_version: '2.10' + platforms: + - name: Debian + versions: + - buster + - bullseye + - trixie + - name: Devuan + versions: + - chimaera + - daedalus + galaxy_tags: [] + namespace: velt + +dependencies: [] + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..f126dae --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Sanity checks + ansible.builtin.assert: + that: + - ansible_os_family|default("N/A") in ["Debian"] + + +- name: Get distribution variables + ansible.builtin.include_vars: + file: "os_{{ ansible_os_family|lower }}.yml" + + +- name: Remove packages + ansible.builtin.package: + name: "{{ deapparmor_packages }}" + state: absent + notify: "Reboot machine for DeAppArmor" + + +- name: "[GRUB] Look for disabled AppArmor" + ansible.builtin.shell: + cmd: 'grep "^GRUB_CMDLINE_LINUX=.*apparmor=0" /etc/default/grub || true' + changed_when: False + register: deapparmor_grub_comdline + + +- name: "[GRUB] Add apparmor=0" + ansible.builtin.lineinfile: + path: /etc/default/grub + line: 'GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} apparmor=0"' + insertafter: '^GRUB_CMDLINE_LINUX=' + owner: root + group: root + mode: 0644 + backup: yes + when: deapparmor_grub_comdline.stdout_lines|length == 0 + notify: + - "update-grub for DeAppArmor" + - "Reboot machine for DeAppArmor" + + diff --git a/vars/os_debian.yml b/vars/os_debian.yml new file mode 100644 index 0000000..76b2122 --- /dev/null +++ b/vars/os_debian.yml @@ -0,0 +1,4 @@ +--- +deapparmor_packages: + - apparmor +